* newrole assertion @ 2008-07-08 19:02 Xavier Toth 2008-07-09 15:23 ` Stephen Smalley 0 siblings, 1 reply; 8+ messages in thread From: Xavier Toth @ 2008-07-08 19:02 UTC (permalink / raw) To: SELinux List, Stephen Smalley; +Cc: Joe Nall Using MLS enforcing in a gnome-terminal with context user_u:user_r:user_t:s0-s15:c0.c1023 I run newrole and get these results newrole -l s1-s1 -- -c "gnome-terminal --disable-factory" Password: ** ** ERROR:(terminal.c:1016):new_terminal_with_options: assertion failed: (profile) I think Joe straced this and has a little more info if he'd like to chime in. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: newrole assertion 2008-07-08 19:02 newrole assertion Xavier Toth @ 2008-07-09 15:23 ` Stephen Smalley 2008-07-09 18:24 ` newrole assertion - should be gnome-terminal assertion Ted X Toth 0 siblings, 1 reply; 8+ messages in thread From: Stephen Smalley @ 2008-07-09 15:23 UTC (permalink / raw) To: Xavier Toth; +Cc: SELinux List, Joe Nall On Tue, 2008-07-08 at 14:02 -0500, Xavier Toth wrote: > Using MLS enforcing in a gnome-terminal with context > user_u:user_r:user_t:s0-s15:c0.c1023 I run newrole and get these > results > > newrole -l s1-s1 -- -c "gnome-terminal --disable-factory" > Password: > ** > ** ERROR:(terminal.c:1016):new_terminal_with_options: assertion > failed: (profile) > > > I think Joe straced this and has a little more info if he'd like to chime in. So, I assume that this does not happen if in permissive mode? What AVC denials occur? Run semodule -DB and retry if there are no AVCs by default. What is the application trying to do at that point (look at the source code and/or ask on the gnome lists)? What are the possible failure conditions there? What external dependencies does it have? strace output might help if you have it. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: newrole assertion - should be gnome-terminal assertion 2008-07-09 15:23 ` Stephen Smalley @ 2008-07-09 18:24 ` Ted X Toth [not found] ` <cadfc0e40807091517k2a40dcecl90c99bd8e971685a@mail.gmail.com> 0 siblings, 1 reply; 8+ messages in thread From: Ted X Toth @ 2008-07-09 18:24 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux List, Joe Nall Stephen Smalley wrote: > On Tue, 2008-07-08 at 14:02 -0500, Xavier Toth wrote: > >> Using MLS enforcing in a gnome-terminal with context >> user_u:user_r:user_t:s0-s15:c0.c1023 I run newrole and get these >> results >> >> newrole -l s1-s1 -- -c "gnome-terminal --disable-factory" >> Password: >> ** >> ** ERROR:(terminal.c:1016):new_terminal_with_options: assertion >> failed: (profile) >> >> >> I think Joe straced this and has a little more info if he'd like to chime in. >> > > So, I assume that this does not happen if in permissive mode? > What AVC denials occur? Run semodule -DB and retry if there are no AVCs > by default. > > What is the application trying to do at that point (look at the source > code and/or ask on the gnome lists)? What are the possible failure > conditions there? What external dependencies does it have? > > strace output might help if you have it. > > Sorry to have bothered you. Looks like it has something to do with polyinstantiation of ~/.gnome or ~/.gnome2. We haven't seen this with previous versions even when polyinstantiating :( -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <cadfc0e40807091517k2a40dcecl90c99bd8e971685a@mail.gmail.com>]
* Re: newrole assertion - should be gnome-terminal assertion [not found] ` <cadfc0e40807091517k2a40dcecl90c99bd8e971685a@mail.gmail.com> @ 2008-07-10 12:09 ` Stephen Smalley 2008-07-10 14:33 ` Xavier Toth 2008-07-10 15:30 ` Xavier Toth 0 siblings, 2 replies; 8+ messages in thread From: Stephen Smalley @ 2008-07-10 12:09 UTC (permalink / raw) To: Xavier Toth; +Cc: SELinux List, Joe Nall On Wed, 2008-07-09 at 17:17 -0500, Xavier Toth wrote: > On Wed, Jul 9, 2008 at 1:24 PM, Ted X Toth <txtoth@gmail.com> wrote: > > Stephen Smalley wrote: > >> > >> On Tue, 2008-07-08 at 14:02 -0500, Xavier Toth wrote: > >> > >>> > >>> Using MLS enforcing in a gnome-terminal with context > >>> user_u:user_r:user_t:s0-s15:c0.c1023 I run newrole and get these > >>> results > >>> > >>> newrole -l s1-s1 -- -c "gnome-terminal --disable-factory" > >>> Password: > >>> ** > >>> ** ERROR:(terminal.c:1016):new_terminal_with_options: assertion > >>> failed: (profile) > >>> > >>> > >>> I think Joe straced this and has a little more info if he'd like to chime > >>> in. > >>> > >> > >> So, I assume that this does not happen if in permissive mode? > >> What AVC denials occur? Run semodule -DB and retry if there are no AVCs > >> by default. > >> > >> What is the application trying to do at that point (look at the source > >> code and/or ask on the gnome lists)? What are the possible failure > >> conditions there? What external dependencies does it have? > >> strace output might help if you have it. > >> > >> > > > > Sorry to have bothered you. Looks like it has something to do with > > polyinstantiation of ~/.gnome or ~/.gnome2. We haven't seen this with > > previous versions even when polyinstantiating :( > > > > > > Hmmm this was a bit of a rush to judgment :( It actually turned out > that if I don't polyinstantiate /tmp then I can start gnome-terminal > as shown in permissive but it still doesn't work in enforcing. I tried > turning off dontaudit but I'm not seeing any AVC out of > gnome-terminal. I've attached a strace maybe you'll see something that > I don't. Look for any avcs at all - they might be occurring during the polyinstantiation, or from dbus, or from the X server. Also, run the strace while permissive and diff the two strace outputs to see how they differ (imperfect, there will be noise, but helpful nonetheless). I see quite a few ENOENTs in there, e.g. on the .gnome2 files, not sure how many of those are expected/harmless. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: newrole assertion - should be gnome-terminal assertion 2008-07-10 12:09 ` Stephen Smalley @ 2008-07-10 14:33 ` Xavier Toth 2008-07-10 14:38 ` Stephen Smalley 2008-07-10 15:30 ` Xavier Toth 1 sibling, 1 reply; 8+ messages in thread From: Xavier Toth @ 2008-07-10 14:33 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux List, Joe Nall On Thu, Jul 10, 2008 at 7:09 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > > On Wed, 2008-07-09 at 17:17 -0500, Xavier Toth wrote: >> On Wed, Jul 9, 2008 at 1:24 PM, Ted X Toth <txtoth@gmail.com> wrote: >> > Stephen Smalley wrote: >> >> >> >> On Tue, 2008-07-08 at 14:02 -0500, Xavier Toth wrote: >> >> >> >>> >> >>> Using MLS enforcing in a gnome-terminal with context >> >>> user_u:user_r:user_t:s0-s15:c0.c1023 I run newrole and get these >> >>> results >> >>> >> >>> newrole -l s1-s1 -- -c "gnome-terminal --disable-factory" >> >>> Password: >> >>> ** >> >>> ** ERROR:(terminal.c:1016):new_terminal_with_options: assertion >> >>> failed: (profile) >> >>> >> >>> >> >>> I think Joe straced this and has a little more info if he'd like to chime >> >>> in. >> >>> >> >> >> >> So, I assume that this does not happen if in permissive mode? >> >> What AVC denials occur? Run semodule -DB and retry if there are no AVCs >> >> by default. >> >> >> >> What is the application trying to do at that point (look at the source >> >> code and/or ask on the gnome lists)? What are the possible failure >> >> conditions there? What external dependencies does it have? >> >> strace output might help if you have it. >> >> >> >> >> > >> > Sorry to have bothered you. Looks like it has something to do with >> > polyinstantiation of ~/.gnome or ~/.gnome2. We haven't seen this with >> > previous versions even when polyinstantiating :( >> > >> > >> >> Hmmm this was a bit of a rush to judgment :( It actually turned out >> that if I don't polyinstantiate /tmp then I can start gnome-terminal >> as shown in permissive but it still doesn't work in enforcing. I tried >> turning off dontaudit but I'm not seeing any AVC out of >> gnome-terminal. I've attached a strace maybe you'll see something that >> I don't. > > Look for any avcs at all - they might be occurring during the > polyinstantiation, or from dbus, or from the X server. > > Also, run the strace while permissive and diff the two strace outputs to > see how they differ (imperfect, there will be noise, but helpful > nonetheless). > > I see quite a few ENOENTs in there, e.g. on the .gnome2 files, not sure > how many of those are expected/harmless. > > -- > Stephen Smalley > National Security Agency > > Any idea how to capture strace output in enforcing? I've tried using the -o option but strace can't write to tmp or the users home dir in enforcing. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: newrole assertion - should be gnome-terminal assertion 2008-07-10 14:33 ` Xavier Toth @ 2008-07-10 14:38 ` Stephen Smalley [not found] ` <cadfc0e40807100806v1c6f4ac1wdbb8b3ae1585f0ba@mail.gmail.com> 0 siblings, 1 reply; 8+ messages in thread From: Stephen Smalley @ 2008-07-10 14:38 UTC (permalink / raw) To: Xavier Toth; +Cc: SELinux List, Joe Nall On Thu, 2008-07-10 at 09:33 -0500, Xavier Toth wrote: > On Thu, Jul 10, 2008 at 7:09 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > > > > On Wed, 2008-07-09 at 17:17 -0500, Xavier Toth wrote: > >> On Wed, Jul 9, 2008 at 1:24 PM, Ted X Toth <txtoth@gmail.com> wrote: > >> > Stephen Smalley wrote: > >> >> > >> >> On Tue, 2008-07-08 at 14:02 -0500, Xavier Toth wrote: > >> >> > >> >>> > >> >>> Using MLS enforcing in a gnome-terminal with context > >> >>> user_u:user_r:user_t:s0-s15:c0.c1023 I run newrole and get these > >> >>> results > >> >>> > >> >>> newrole -l s1-s1 -- -c "gnome-terminal --disable-factory" > >> >>> Password: > >> >>> ** > >> >>> ** ERROR:(terminal.c:1016):new_terminal_with_options: assertion > >> >>> failed: (profile) > >> >>> > >> >>> > >> >>> I think Joe straced this and has a little more info if he'd like to chime > >> >>> in. > >> >>> > >> >> > >> >> So, I assume that this does not happen if in permissive mode? > >> >> What AVC denials occur? Run semodule -DB and retry if there are no AVCs > >> >> by default. > >> >> > >> >> What is the application trying to do at that point (look at the source > >> >> code and/or ask on the gnome lists)? What are the possible failure > >> >> conditions there? What external dependencies does it have? > >> >> strace output might help if you have it. > >> >> > >> >> > >> > > >> > Sorry to have bothered you. Looks like it has something to do with > >> > polyinstantiation of ~/.gnome or ~/.gnome2. We haven't seen this with > >> > previous versions even when polyinstantiating :( > >> > > >> > > >> > >> Hmmm this was a bit of a rush to judgment :( It actually turned out > >> that if I don't polyinstantiate /tmp then I can start gnome-terminal > >> as shown in permissive but it still doesn't work in enforcing. I tried > >> turning off dontaudit but I'm not seeing any AVC out of > >> gnome-terminal. I've attached a strace maybe you'll see something that > >> I don't. > > > > Look for any avcs at all - they might be occurring during the > > polyinstantiation, or from dbus, or from the X server. > > > > Also, run the strace while permissive and diff the two strace outputs to > > see how they differ (imperfect, there will be noise, but helpful > > nonetheless). > > > > I see quite a few ENOENTs in there, e.g. on the .gnome2 files, not sure > > how many of those are expected/harmless. > > > > -- > > Stephen Smalley > > National Security Agency > > > > > > Any idea how to capture strace output in enforcing? I've tried using > the -o option but strace can't write to tmp or the users home dir in > enforcing. Not sure I follow - why can't it write to its polyinstantiated /tmp directory? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <cadfc0e40807100806v1c6f4ac1wdbb8b3ae1585f0ba@mail.gmail.com>]
* Fwd: newrole assertion - should be gnome-terminal assertion [not found] ` <cadfc0e40807100806v1c6f4ac1wdbb8b3ae1585f0ba@mail.gmail.com> @ 2008-07-10 15:21 ` Xavier Toth 0 siblings, 0 replies; 8+ messages in thread From: Xavier Toth @ 2008-07-10 15:21 UTC (permalink / raw) To: SELinux List, Joe Nall ---------- Forwarded message ---------- From: Xavier Toth <txtoth@gmail.com> Date: Thu, Jul 10, 2008 at 10:06 AM Subject: Re: newrole assertion - should be gnome-terminal assertion To: Stephen Smalley <sds@tycho.nsa.gov> On Thu, Jul 10, 2008 at 9:38 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > > On Thu, 2008-07-10 at 09:33 -0500, Xavier Toth wrote: >> On Thu, Jul 10, 2008 at 7:09 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >> > >> > On Wed, 2008-07-09 at 17:17 -0500, Xavier Toth wrote: >> >> On Wed, Jul 9, 2008 at 1:24 PM, Ted X Toth <txtoth@gmail.com> wrote: >> >> > Stephen Smalley wrote: >> >> >> >> >> >> On Tue, 2008-07-08 at 14:02 -0500, Xavier Toth wrote: >> >> >> >> >> >>> >> >> >>> Using MLS enforcing in a gnome-terminal with context >> >> >>> user_u:user_r:user_t:s0-s15:c0.c1023 I run newrole and get these >> >> >>> results >> >> >>> >> >> >>> newrole -l s1-s1 -- -c "gnome-terminal --disable-factory" >> >> >>> Password: >> >> >>> ** >> >> >>> ** ERROR:(terminal.c:1016):new_terminal_with_options: assertion >> >> >>> failed: (profile) >> >> >>> >> >> >>> >> >> >>> I think Joe straced this and has a little more info if he'd like to chime >> >> >>> in. >> >> >>> >> >> >> >> >> >> So, I assume that this does not happen if in permissive mode? >> >> >> What AVC denials occur? Run semodule -DB and retry if there are no AVCs >> >> >> by default. >> >> >> >> >> >> What is the application trying to do at that point (look at the source >> >> >> code and/or ask on the gnome lists)? What are the possible failure >> >> >> conditions there? What external dependencies does it have? >> >> >> strace output might help if you have it. >> >> >> >> >> >> >> >> > >> >> > Sorry to have bothered you. Looks like it has something to do with >> >> > polyinstantiation of ~/.gnome or ~/.gnome2. We haven't seen this with >> >> > previous versions even when polyinstantiating :( >> >> > >> >> > >> >> >> >> Hmmm this was a bit of a rush to judgment :( It actually turned out >> >> that if I don't polyinstantiate /tmp then I can start gnome-terminal >> >> as shown in permissive but it still doesn't work in enforcing. I tried >> >> turning off dontaudit but I'm not seeing any AVC out of >> >> gnome-terminal. I've attached a strace maybe you'll see something that >> >> I don't. >> > >> > Look for any avcs at all - they might be occurring during the >> > polyinstantiation, or from dbus, or from the X server. >> > >> > Also, run the strace while permissive and diff the two strace outputs to >> > see how they differ (imperfect, there will be noise, but helpful >> > nonetheless). >> > >> > I see quite a few ENOENTs in there, e.g. on the .gnome2 files, not sure >> > how many of those are expected/harmless. >> > >> > -- >> > Stephen Smalley >> > National Security Agency >> > >> > >> >> Any idea how to capture strace output in enforcing? I've tried using >> the -o option but strace can't write to tmp or the users home dir in >> enforcing. > > Not sure I follow - why can't it write to its polyinstantiated /tmp > directory? > > -- > Stephen Smalley > National Security Agency > > You're right that does work a long as you've got an instance directory at the right level ;) which I didn't previously. The assertion points to a problem of not having a 'profile' so I've looked through the strace output but don't see anything that is related to loading 'profiles'. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: newrole assertion - should be gnome-terminal assertion 2008-07-10 12:09 ` Stephen Smalley 2008-07-10 14:33 ` Xavier Toth @ 2008-07-10 15:30 ` Xavier Toth 1 sibling, 0 replies; 8+ messages in thread From: Xavier Toth @ 2008-07-10 15:30 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux List, Joe Nall On Thu, Jul 10, 2008 at 7:09 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > > On Wed, 2008-07-09 at 17:17 -0500, Xavier Toth wrote: >> On Wed, Jul 9, 2008 at 1:24 PM, Ted X Toth <txtoth@gmail.com> wrote: >> > Stephen Smalley wrote: >> >> >> >> On Tue, 2008-07-08 at 14:02 -0500, Xavier Toth wrote: >> >> >> >>> >> >>> Using MLS enforcing in a gnome-terminal with context >> >>> user_u:user_r:user_t:s0-s15:c0.c1023 I run newrole and get these >> >>> results >> >>> >> >>> newrole -l s1-s1 -- -c "gnome-terminal --disable-factory" >> >>> Password: >> >>> ** >> >>> ** ERROR:(terminal.c:1016):new_terminal_with_options: assertion >> >>> failed: (profile) >> >>> >> >>> >> >>> I think Joe straced this and has a little more info if he'd like to chime >> >>> in. >> >>> >> >> >> >> So, I assume that this does not happen if in permissive mode? >> >> What AVC denials occur? Run semodule -DB and retry if there are no AVCs >> >> by default. >> >> >> >> What is the application trying to do at that point (look at the source >> >> code and/or ask on the gnome lists)? What are the possible failure >> >> conditions there? What external dependencies does it have? >> >> strace output might help if you have it. >> >> >> >> >> > >> > Sorry to have bothered you. Looks like it has something to do with >> > polyinstantiation of ~/.gnome or ~/.gnome2. We haven't seen this with >> > previous versions even when polyinstantiating :( >> > >> > >> >> Hmmm this was a bit of a rush to judgment :( It actually turned out >> that if I don't polyinstantiate /tmp then I can start gnome-terminal >> as shown in permissive but it still doesn't work in enforcing. I tried >> turning off dontaudit but I'm not seeing any AVC out of >> gnome-terminal. I've attached a strace maybe you'll see something that >> I don't. > > Look for any avcs at all - they might be occurring during the > polyinstantiation, or from dbus, or from the X server. > > Also, run the strace while permissive and diff the two strace outputs to > see how they differ (imperfect, there will be noise, but helpful > nonetheless). > > I see quite a few ENOENTs in there, e.g. on the .gnome2 files, not sure > how many of those are expected/harmless. > > -- > Stephen Smalley > National Security Agency > > Comparing straces when gnome-ternimal fails to start there is a problem with it talking to dbus (~line 1062 of the trace I attached previously). -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2008-07-10 15:30 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-07-08 19:02 newrole assertion Xavier Toth
2008-07-09 15:23 ` Stephen Smalley
2008-07-09 18:24 ` newrole assertion - should be gnome-terminal assertion Ted X Toth
[not found] ` <cadfc0e40807091517k2a40dcecl90c99bd8e971685a@mail.gmail.com>
2008-07-10 12:09 ` Stephen Smalley
2008-07-10 14:33 ` Xavier Toth
2008-07-10 14:38 ` Stephen Smalley
[not found] ` <cadfc0e40807100806v1c6f4ac1wdbb8b3ae1585f0ba@mail.gmail.com>
2008-07-10 15:21 ` Fwd: " Xavier Toth
2008-07-10 15:30 ` Xavier Toth
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.